If You Think You Can Ignore IPv6, Think Again

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

ISP

[0racle]

Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.

Re:ISP

[tysonedwards]

There are *many* 6 year old Cisco routers and switches out there that are still covered under support contracts that won't be getting IPv6 support as they have been End-of-Life'd. Consider for a moment that many of these same ISPs are the ones who elect to throttle their users to 256Kbps if they go above their 5GB monthly usage limit. Smaller ISPs are already going in and double-natting their customers as well to further over-subscribe their network and get by with less. Home ISPs will likely continue ignoring this problem for years to come, until the eventual hardware swaps enables them to support IPv6 and then have a reason to start billing their customers more for "now with public IPs to improve your gaming performance".

Re:ISP

[tweak13]

I'd rather have NAT for v6 too

Why?

There are always so many people saying they want NAT, but if addresses are plentiful then it serves absolutely no purpose. I think that most people who see it as necessary are confusing its function with a firewall. You do not need NAT to do the same things your home router does today. You can still block all incoming connections to a computer and allow all outgoing connections. You can still allow specific ports to be opened to specific machines.

Using a public address on your internal network doesn't automatically mean that you need to just allow any traffic in. Use a firewall to "stealth" every port and there will continue to be no evidence that you have a computer there.

Re:ISP

[tqk]

It's not quite yet the time to retrofit IPv6 everywhere, but it is definitely time to build support into your new development requirements.

Just like y2k, if you coded software that used 2 digit date fields in 1995, you had only yourself to blame for needing to rush around in 1999.

And just like in y2k, after we get IPv6 everywhere and nothing blows up, we'll be blamed for running a con job just like in y2k. "Sheesh, nothing happened, and we spent all that money on getting you to fix a non-problem!"

I say, let's let it blow up this time.

Re:ISP

[The1stImmortal]

He's right - NAT has useful functionality beyond just the "security" aspects.

The IPv6 internet model still only allows provider-independent addressing if you're a member of your regional NIC (with all the associated bits and pieces, like ASNs etc)

NAT is the only sane way to give your network provider independence under this system. If you're forced to renumber your network when changing ISPs, it's a real pain in the neck. Also - what if you want to do redundant internet connections? With IPv4 NAT you just set up the NATing firewall to have two connections with the same priority, enable stateful tracking, and away you go. That's flat out impossible with directly addressed IPv6 - every device would need two IP's (one for each provider subnet), and you'd need to manually configure each device to spit out some traffic with one source IP and other traffic with another source IP.

Additionally, NAT lets you do some useful stuff, like providing multiple services on multiple back-end machines via a single IP (which would of course correspond to a DNS record). For example, providing a "mail.example.com" address which provides POP3, IMAP, Webmail and SMTP submission service - POP3 and IMAP going to the mailstore machine, Webmail to a webserver and SMTP to an MX machine, without needing to configure slow port proxy services which lose valuable information (such as the source IP for connections)

As for IPv6 autoconfiguration, autoconfiguration doesn't deal with:

- Changing application settings dependent on IPv6 addresses
- Updating DNS records
- multiple internet providers/multiple subnets
- port remapping

making it an incomplete solution in itself.

but ignoring is working so well...

[green1]

I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.

The answer I got back basically amounted to two things:

1) nobody else is ready, so we don't need to be either.

2) it's not legally mandated, so it's not important.

I'm so glad we pride ourselves on our ability to innovate...

Re:IPv6 Mess

[SmilingBoy]

Not so fast:

http://cr.yp.to/djbdns/ipv6mess.html

I don't agree at all with this article. The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible. The IPv4 host can only send packets to IP addresses with 32 bit. Any longer number is not understood by the IPv4 host. In order to make this work, the IP stack of every IPv4 host would need to be updated. Guess what has to be done to have IPv4 and IPv6 dual stack? The IP stack of every IPv4 host needs to be updated!

Stop already, it's getting old.

[bill_mcgonigle]

Yes we know.

Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).

Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.

Re:NAT will never go away

[grcumb]

The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.

IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.

Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.

This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.

The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!

My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.

P.S. Yes, we're IPv6-ready.